skout-blog

Cybersecurity Threat Advisory 0041-20: Palo Alto Networks Vulnerability: Authentication Bypass in SAML Authentication (CVE-2020-2021)

Advisory Overview

Palo Alto Networks disclosed a critical vulnerability all next-generation firewalls running certain versions of PAN-OS that could allow an attacker to bypass authentication. SKOUT recommends upgrading PAN-OS to a fixed version. Full recommendations and links are available below.

Technical detail and additional information

What is the threat?

Palo Alto Networks disclosed a critical vulnerability found in PAN-OS that could allow unauthenticated network-based attackers to access secure and protected resources within an organization’s infrastructure. This vulnerability can be exploited if the Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled. The improper verification of signatures in the SAML authentication will allow an unauthenticated attacker to gain access to critical company resources.

Why is this noteworthy?

Palo Alto Networks is a highly reputable firewall vendor which are used by a vast number of organizations globally. While there is no indication yet that this exploit is appearing in the wild, the researchers have provided enough information to determine that it is likely that we will see this exploit used in the near future.

The vulnerability cannot be exploited if SAML is not used for authentication or if the ‘Validate Identity Provider Certificate’ option is enabled in the SAML IDP Server Profile. This is also the second vulnerability disclosed by Palo Alto Networks that has been rated as critical severity with a CVSS score of 10.

What is the exposure or risk?

This vulnerability severely impacts multiple system environments within Palo Alto Networks. “In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions.

What are the recommendations?

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.